Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Navigating IT Governance: An Examination of CAN/CSA-ISO/IEC TR 38502-15
Understanding the Framework and Model for Effective Governance of Information Technology
In the contemporary digital enterprise, the governance of information technology (IT) is no longer a discretionary operational task but a fundamental component of corporate governance. The adoption of robust governance frameworks is critical for ensuring that IT investments align with business objectives, risks are managed effectively, and resources are utilized responsibly. As regulatory demands and digital acceleration continue to shape the Canadian business landscape in 2026, the standard CAN/CSA-ISO/IEC TR 38502-15, officially entitled *Information technology — Governance of IT — Framework and model*, serves as a crucial blueprint. This document is the Canadian adoption of the international ISO/IEC TR 38502 and provides essential guidance on establishing a governance framework for IT, acting as a critical companion to the principles standard ISO/IEC 38500.
Scope and Purpose of CAN/CSA-ISO/IEC TR 38502-15
The primary purpose of this Technical Report is to provide a framework and a model for governing the use of IT within an organization. It is important to distinguish this TR from a management system specification; it does not prescribe normative “requirements” for certification but rather offers structured guidance and good practice principles.
Target Audience and Application
The document is specifically designed for governing bodies (the Board of Directors), executives (C-Suite), and managers who must understand how to integrate IT governance into the corporate governance structure. The scope extends to all organizations, regardless of size or industry, looking to adopt the principles laid out in ISO/IEC 38500. The standard applies to the “use of IT,” which explicitly includes functions managed by or provided to the organization by external third parties, making it highly relevant for organizations leveraging cloud services and managed service providers. Transition Tool: TR 38502 is an excellent resource for organizations bridging the gap between general corporate governance frameworks (e.g., OECD Principles) and specific IT management systems (e.g., ISO/IEC 20000, ISO/IEC 27001). It provides the strategic “why” before the operational “how.”
The Technical Framework and Principles
CAN/CSA-ISO/IEC TR 38502-15 elaborates on the six principles of good IT governance established in ISO/IEC 38500. These principles form the ethical and strategic foundation for the governance framework.
The Six Governance Principles
The report defines a framework based on these six principles, which must be applied by the governing body:- Responsibility: Clearly define responsibility and authority for IT.
- Strategy: IT strategy aligns with the business strategy.
- Acquisition: IT acquisitions are made for valid reasons based on analysis.
- Performance: IT is fit for its purpose in supporting the organization.
- Conformance: IT complies with mandatory laws, regulations, and internal policies.
- Human Behaviour: IT policies and practices respect human behaviour and needs.
The Evaluate-Direct-Monitor (EDM) Model
The core model presented in the TR is the EDM framework. This is the engine for putting the six principles into practice.- Evaluate: The governing body continuously evaluates the current and future use of IT, including strategic opportunities, risks, and performance gaps.
- Direct: Based on evaluation, the governing body directs the preparation and implementation of plans, policies, and budgets to ensure IT meets business objectives.
- Monitor: The governing body monitors conformance to policies and performance against strategy through established key performance indicators (KPIs) and key risk indicators (KRIs).
Common Misapplication: A frequent error in governance is delegating the entire EDM cycle to IT management. While IT managers can perform operational evaluations and monitoring, the strategic “Evaluate” and “Direct” functions must remain within the governing body (the Board or C-Suite) to preserve the integrity and authority of the governance system.
| Governance Principle | Primary EDM Activity | Expected Governance Outcome |
|---|---|---|
| Responsibility | Evaluate / Direct | Clear accountability structures for IT investments, risks, and operations. |
| Strategy | Evaluate / Direct | IT capability is aligned with and demonstrably supports organizational strategy. |
| Acquisition | Direct / Monitor | Balanced portfolio of IT investments ensuring optimal benefit vs. cost vs. risk. |
| Performance | Monitor | Demonstrable service delivery, resource utilization, and value creation from IT assets. |
| Conformance | Monitor | IT complies with external laws (e.g., PIPEDA, OSFI) and internal policies without exception. |
| Human Behaviour | Evaluate / Direct | Policies support, rather than hinder, business processes, employee productivity, and culture. |
Implementation Highlights and Practical Integration
Implementing the framework from CAN/CSA-ISO/IEC TR 38502-15 is rarely a standalone project. Instead, it provides the strategic compass for integrating governance into existing management systems and regulatory compliance programs.
Bridging to Management Systems
The TR explicitly supports the integration of governance into:- ISO/IEC 27001: Information security governance requires the “Evaluate” stage to assess the threat landscape and the “Direct” stage to set the scope and policy of the Information Security Management System (ISMS).
- ISO/IEC 20000-1: Service management governance ensures executives set the service strategy and define the quality policy.
- ISO 31000: Enterprise Risk Management is deeply embedded in the “Evaluate” component of the EDM model.
A common implementation challenge in Canada involves aligning provincial privacy regulations (PIPEDA, Quebec Law 25) and sector-specific regulations (OSFI Guideline B-13, CIRO) with the EDM model. The “Direct” component, for example, requires Boards to explicitly define risk appetite regarding data residency and AI ethics.
Strategic Alignment: Organizations that successfully map their existing management systems to the EDM model report significantly higher transparency in decision-making and a stronger alignment between the Board’s strategic vision and IT operational execution. This integration is a hallmark of digital maturity in the 2026 regulatory environment.
Compliance and Auditing Considerations
It is vital to understand that the “TR” designation (Technical Report) means that CAN/CSA-ISO/IEC TR 38502-15 is not a normative standard. Therefore, third-party certification to this document is not applicable in the same way it is for ISO 9001 or ISO 27001. However, conformance to the principles and model of the TR can be audited through gap analysis and maturity assessments.
Auditing against the Framework
Auditors typically assess:- Whether the governing body has formally evaluated current IT issues, business risks, and strategic opportunities.
- Whether formal directives (policies, plans, charters) have been issued based on this evaluation.
- Whether monitoring mechanisms (KPIs, KRIs, board reports) exist to track conformance and performance.
- Whether evidence exists that the governing body actively reviews monitoring data and adjusts directives (closing the EDM loop).
Certification Fallacy: Be wary of any service provider offering “ISO/IEC TR 38502 Certification.” Because this is a Technical Report, it does not contain normative requirements (“shall” statements) suitable for a traditional certification audit. Acceptable assessments are “conformance assessments” or “capability maturity model (CMM) evaluations” that measure alignment with the framework.
FAQs
Q: What is the primary difference between ISO/IEC 38500 and ISO/IEC TR 38502?
A: ISO/IEC 38500 is the core international standard providing the six principles for IT governance at the highest level. ISO/IEC TR 38502 is a Technical Report that provides a detailed framework and operational model (Evaluate, Direct, Monitor) to help organizations *implement* the principles of ISO/IEC 38500. You can think of 38500 as the “what” and the TR 38502 as the “how” at a conceptual governance level.
A: ISO/IEC 38500 is the core international standard providing the six principles for IT governance at the highest level. ISO/IEC TR 38502 is a Technical Report that provides a detailed framework and operational model (Evaluate, Direct, Monitor) to help organizations *implement* the principles of ISO/IEC 38500. You can think of 38500 as the “what” and the TR 38502 as the “how” at a conceptual governance level.
Q: Can my organization get a certificate for CAN/CSA-ISO/IEC TR 38502-15?
A: No. As a Technical Report (TR), this document provides guidance rather than requirements. It is not intended for third-party certification. Instead, organizations should use it to guide a Board-level self-assessment or a third-party gap analysis to improve their overall governance posture.
A: No. As a Technical Report (TR), this document provides guidance rather than requirements. It is not intended for third-party certification. Instead, organizations should use it to guide a Board-level self-assessment or a third-party gap analysis to improve their overall governance posture.
Q: How does this Canadian adoption differ from the international ISO/IEC TR 38502?
A: A Canadian adoption (CAN/CSA) includes a National Standard of Canada (NSC) identifier. It is technically identical to the international version but has been formally adopted by the Standards Council of Canada and published by the CSA Group. This formal adoption provides greater legal and regulatory relevance within the Canadian context, particularly for federally regulated entities.
A: A Canadian adoption (CAN/CSA) includes a National Standard of Canada (NSC) identifier. It is technically identical to the international version but has been formally adopted by the Standards Council of Canada and published by the CSA Group. This formal adoption provides greater legal and regulatory relevance within the Canadian context, particularly for federally regulated entities.
Q: How does this relate to comprehensive frameworks like COBIT 2019 or ITIL 4?
A: ISO/IEC TR 38502 provides the “Ends” (principles and model for strategic governance). COBIT 2019 provides a detailed “Means” (processes, practices, governance enablers) for achieving those governance objectives. ITIL 4 focuses on the operational service management layer. TR 38502 serves as the strategic umbrella under which these detailed process frameworks can be aligned and governed effectively.
A: ISO/IEC TR 38502 provides the “Ends” (principles and model for strategic governance). COBIT 2019 provides a detailed “Means” (processes, practices, governance enablers) for achieving those governance objectives. ITIL 4 focuses on the operational service management layer. TR 38502 serves as the strategic umbrella under which these detailed process frameworks can be aligned and governed effectively.
Conclusion
CAN/CSA-ISO/IEC TR 38502-15 represents a critical milestone for Canadian organizations aiming to professionalize their IT governance. By providing a clear, non-commercial link between corporate governance principles and the practical EDM model, it enables boards and executives to take true ownership of their IT strategy and performance. The relevance of a structured governance framework has only intensified as we advance through 2026. For organizations seeking sustainable, transparent, and value-driven IT governance, this Technical Report remains the definitive starting point for the journey.